@socketsecurity/lib 5.11.2 → 5.11.3

package/dist/memoization.js

@@ -29,6 +29,7 @@ __export(memoization_exports, {
 });
 module.exports = __toCommonJS(memoization_exports);
 var import_debug = require("./debug");
+const cacheRegistry = [];
 function memoize(fn, options = {}) {
   const {
     keyGen = (...args) => JSON.stringify(args),
@@ -41,6 +42,10 @@ function memoize(fn, options = {}) {
   }
   const cache = /* @__PURE__ */ new Map();
   const accessOrder = [];
+  cacheRegistry.push(() => {
+    cache.clear();
+    accessOrder.length = 0;
+  });
   function evictLRU() {
     if (cache.size >= maxSize && accessOrder.length > 0) {
       const oldest = accessOrder.shift();
@@ -62,15 +67,22 @@ function memoize(fn, options = {}) {
   return function memoized(...args) {
     const key = keyGen(...args);
     const cached = cache.get(key);
-    if (cached && !isExpired(cached)) {
-      cached.hits++;
+    if (cached) {
+      if (!isExpired(cached)) {
+        cached.hits++;
+        const index2 = accessOrder.indexOf(key);
+        if (index2 !== -1) {
+          accessOrder.splice(index2, 1);
+        }
+        accessOrder.push(key);
+        (0, import_debug.debugLog)(`[memoize:${name}] hit`, { key, hits: cached.hits });
+        return cached.value;
+      }
+      cache.delete(key);
       const index = accessOrder.indexOf(key);
       if (index !== -1) {
         accessOrder.splice(index, 1);
       }
-      accessOrder.push(key);
-      (0, import_debug.debugLog)(`[memoize:${name}] hit`, { key, hits: cached.hits });
-      return cached.value;
     }
     (0, import_debug.debugLog)(`[memoize:${name}] miss`, { key });
     const value = fn(...args);
@@ -94,6 +106,10 @@ function memoizeAsync(fn, options = {}) {
   } = options;
   const cache = /* @__PURE__ */ new Map();
   const accessOrder = [];
+  cacheRegistry.push(() => {
+    cache.clear();
+    accessOrder.length = 0;
+  });
   function evictLRU() {
     if (cache.size >= maxSize && accessOrder.length > 0) {
       const oldest = accessOrder.shift();
@@ -112,22 +128,36 @@ function memoizeAsync(fn, options = {}) {
     }
     return Date.now() - entry.timestamp > ttl;
   }
+  const refreshing = /* @__PURE__ */ new Set();
   return async function memoized(...args) {
     const key = keyGen(...args);
     const cached = cache.get(key);
-    if (cached && !isExpired(cached)) {
-      cached.hits++;
+    if (cached) {
+      if (!isExpired(cached)) {
+        cached.hits++;
+        const index2 = accessOrder.indexOf(key);
+        if (index2 !== -1) {
+          accessOrder.splice(index2, 1);
+        }
+        accessOrder.push(key);
+        (0, import_debug.debugLog)(`[memoizeAsync:${name}] hit`, { key, hits: cached.hits });
+        return await cached.value;
+      }
+      if (refreshing.has(key)) {
+        (0, import_debug.debugLog)(`[memoizeAsync:${name}] stale-dedup`, { key });
+        return await cached.value;
+      }
+      cache.delete(key);
       const index = accessOrder.indexOf(key);
       if (index !== -1) {
         accessOrder.splice(index, 1);
       }
-      accessOrder.push(key);
-      (0, import_debug.debugLog)(`[memoizeAsync:${name}] hit`, { key, hits: cached.hits });
-      return await cached.value;
     }
     (0, import_debug.debugLog)(`[memoizeAsync:${name}] miss`, { key });
+    refreshing.add(key);
     const promise = fn(...args).then(
       (result) => {
+        refreshing.delete(key);
         const entry = cache.get(key);
         if (entry) {
           entry.value = Promise.resolve(result);
@@ -135,6 +165,7 @@ function memoizeAsync(fn, options = {}) {
         return result;
       },
       (error) => {
+        refreshing.delete(key);
         cache.delete(key);
         const index = accessOrder.indexOf(key);
         if (index !== -1) {
@@ -167,14 +198,16 @@ function Memoize(options = {}) {
 }
 function clearAllMemoizationCaches() {
   (0, import_debug.debugLog)("[memoize:all] clear", { action: "clear-all-caches" });
+  for (const clear of cacheRegistry) {
+    clear();
+  }
 }
 function memoizeWeak(fn) {
   const cache = /* @__PURE__ */ new WeakMap();
   return function memoized(key) {
-    const cached = cache.get(key);
-    if (cached !== void 0) {
+    if (cache.has(key)) {
       (0, import_debug.debugLog)(`[memoizeWeak:${fn.name}] hit`);
-      return cached;
+      return cache.get(key);
     }
     (0, import_debug.debugLog)(`[memoizeWeak:${fn.name}] miss`);
     const result = fn(key);

package/dist/packages/isolation.js

@@ -69,7 +69,15 @@ async function resolveRealPath(pathStr) {
 }
 async function mergePackageJson(pkgJsonPath, originalPkgJson) {
   const fs = /* @__PURE__ */ getFs();
-  const pkgJson = JSON.parse(await fs.promises.readFile(pkgJsonPath, "utf8"));
+  let pkgJson;
+  try {
+    pkgJson = JSON.parse(await fs.promises.readFile(pkgJsonPath, "utf8"));
+  } catch (error) {
+    throw new Error(
+      `Failed to parse ${pkgJsonPath}: ${error instanceof Error ? error.message : String(error)}`,
+      { cause: error }
+    );
+  }
   const mergedPkgJson = originalPkgJson ? { ...originalPkgJson, ...pkgJson } : pkgJson;
   return mergedPkgJson;
 }

package/dist/process-lock.js

@@ -179,7 +179,14 @@ class ProcessLockManager {
           if (existsSync(lockPath)) {
             throw new Error(`Lock already exists: ${lockPath}`);
           }
-          mkdirSync(lockPath, { recursive: true });
+          const lastSlash = Math.max(
+            lockPath.lastIndexOf("/"),
+            lockPath.lastIndexOf("\\")
+          );
+          if (lastSlash > 0) {
+            mkdirSync(lockPath.slice(0, lastSlash), { recursive: true });
+          }
+          mkdirSync(lockPath);
           this.activeLocks.add(lockPath);
           this.startTouchTimer(lockPath, touchIntervalMs);
           return () => this.release(lockPath);
@@ -204,7 +211,10 @@ class ProcessLockManager {
             );
           }
           if (code === "ENOTDIR") {
-            const lastSlashIndex = lockPath.lastIndexOf("/");
+            const lastSlashIndex = Math.max(
+              lockPath.lastIndexOf("/"),
+              lockPath.lastIndexOf("\\")
+            );
             const parentDir = lastSlashIndex === -1 ? "." : lockPath.slice(0, lastSlashIndex);
             throw new Error(
               `Cannot create lock directory: ${lockPath}
@@ -218,7 +228,10 @@ To resolve:
             );
           }
           if (code === "ENOENT") {
-            const lastSlashIndex = lockPath.lastIndexOf("/");
+            const lastSlashIndex = Math.max(
+              lockPath.lastIndexOf("/"),
+              lockPath.lastIndexOf("\\")
+            );
             const parentDir = lastSlashIndex === -1 ? "." : lockPath.slice(0, lastSlashIndex);
             throw new Error(
               `Cannot create lock directory: ${lockPath}

package/dist/promise-queue.d.ts

@@ -1,6 +1,7 @@
 export declare class PromiseQueue {
     private queue;
     private running;
+    private idleResolvers;
     private readonly maxConcurrency;
     private readonly maxQueueLength;
     /**
@@ -16,6 +17,7 @@ export declare class PromiseQueue {
      */
     add<T>(fn: () => Promise<T>): Promise<T>;
     private runNext;
+    private notifyIdleIfNeeded;
     /**
      * Wait for all queued and running tasks to complete
      */

package/dist/promise-queue.js

@@ -25,6 +25,7 @@ module.exports = __toCommonJS(promise_queue_exports);
 class PromiseQueue {
   queue = [];
   running = 0;
+  idleResolvers = [];
   maxConcurrency;
   maxQueueLength;
   /**
@@ -47,7 +48,7 @@ class PromiseQueue {
   async add(fn) {
     return await new Promise((resolve, reject) => {
       const task = { fn, resolve, reject };
-      if (this.maxQueueLength && this.queue.length >= this.maxQueueLength) {
+      if (this.maxQueueLength !== void 0 && this.queue.length >= this.maxQueueLength) {
         const droppedTask = this.queue.shift();
         if (droppedTask) {
           droppedTask.reject(new Error("Task dropped: queue length exceeded"));
@@ -59,6 +60,7 @@ class PromiseQueue {
   }
   runNext() {
     if (this.running >= this.maxConcurrency || this.queue.length === 0) {
+      this.notifyIdleIfNeeded();
       return;
     }
     const task = this.queue.shift();
@@ -71,19 +73,23 @@ class PromiseQueue {
       this.runNext();
     });
   }
+  notifyIdleIfNeeded() {
+    if (this.running === 0 && this.queue.length === 0) {
+      for (const resolve of this.idleResolvers) {
+        resolve();
+      }
+      this.idleResolvers = [];
+    }
+  }
   /**
    * Wait for all queued and running tasks to complete
    */
   async onIdle() {
+    if (this.running === 0 && this.queue.length === 0) {
+      return;
+    }
     return await new Promise((resolve) => {
-      const check = () => {
-        if (this.running === 0 && this.queue.length === 0) {
-          resolve();
-        } else {
-          setImmediate(check);
-        }
-      };
-      check();
+      this.idleResolvers.push(resolve);
     });
   }
   /**
@@ -102,7 +108,12 @@ class PromiseQueue {
    * Clear all pending tasks from the queue (does not affect running tasks)
    */
   clear() {
+    const pending = this.queue;
     this.queue = [];
+    for (const task of pending) {
+      task.reject(new Error("Task cancelled: queue cleared"));
+    }
+    this.notifyIdleIfNeeded();
   }
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/promises.js

@@ -203,9 +203,7 @@ async function pRetry(callbackFn, options) {
     try {
       return await callbackFn(...args || [], { signal });
     } catch (e) {
-      if (error === import_core.UNDEFINED_TOKEN) {
-        error = e;
-      }
+      error = e;
       if (attempts < 0) {
         break;
       }

package/dist/releases/github.js

@@ -294,7 +294,11 @@ async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
           { cause }
         );
       }
-      const asset = release.assets.find((a) => isMatch(a.name));
+      const assets = release.assets;
+      if (!Array.isArray(assets)) {
+        throw new Error(`Release ${tag} has no assets`);
+      }
+      const asset = assets.find((a) => isMatch(a.name));
       if (!asset) {
         const patternDesc = typeof assetPattern === "string" ? assetPattern : "matching pattern";
         throw new Error(`Asset ${patternDesc} not found in release ${tag}`);

package/dist/stdio/progress.js

@@ -196,7 +196,7 @@ class ProgressBar {
   }
 }
 function createProgressIndicator(current, total, label) {
-  const percent = Math.floor(current / total * 100);
+  const percent = total === 0 ? 0 : Math.floor(current / total * 100);
   const progress = `${current}/${total}`;
   let output = "";
   if (label) {

package/dist/validation/json-parser.js

@@ -27,7 +27,15 @@ __export(json_parser_exports, {
   tryJsonParse: () => tryJsonParse
 });
 module.exports = __toCommonJS(json_parser_exports);
-const { hasOwn: ObjectHasOwn } = Object;
+const DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function prototypePollutionReviver(key, value) {
+  if (DANGEROUS_KEYS.has(key)) {
+    throw new Error(
+      "JSON contains potentially malicious prototype pollution keys"
+    );
+  }
+  return value;
+}
 function safeJsonParse(jsonString, schema, options = {}) {
   const { allowPrototype = false, maxSize = 10 * 1024 * 1024 } = options;
   const byteLength = Buffer.byteLength(jsonString, "utf8");
@@ -38,20 +46,10 @@ function safeJsonParse(jsonString, schema, options = {}) {
   }
   let parsed;
   try {
-    parsed = JSON.parse(jsonString);
+    parsed = allowPrototype ? JSON.parse(jsonString) : JSON.parse(jsonString, prototypePollutionReviver);
   } catch (error) {
     throw new Error(`Failed to parse JSON: ${error}`);
   }
-  if (!allowPrototype && typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
-    const dangerous = ["__proto__", "constructor", "prototype"];
-    for (const key of dangerous) {
-      if (ObjectHasOwn(parsed, key)) {
-        throw new Error(
-          "JSON contains potentially malicious prototype pollution keys"
-        );
-      }
-    }
-  }
   if (schema) {
     const result = schema.safeParse(parsed);
     if (!result.success) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.11.2",
+  "version": "5.11.3",
   "packageManager": "pnpm@10.33.0",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
@@ -734,7 +734,7 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.3.5",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.11.1",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.11.2",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20250920.1",
     "@vitest/coverage-v8": "4.0.3",
@@ -764,15 +764,16 @@
     "npm-package-arg": "13.0.0",
     "oxfmt": "^0.37.0",
     "oxlint": "1.53.0",
+    "p-map": "7.0.4",
     "pacote": "21.0.1",
-    "picomatch": "2.3.1",
+    "picomatch": "4.0.4",
     "pony-cause": "2.1.11",
     "semver": "7.7.2",
     "signal-exit": "4.1.0",
     "spdx-correct": "3.2.0",
     "spdx-expression-parse": "4.0.0",
     "streaming-iterables": "8.0.1",
-    "supports-color": "10.0.0",
+    "supports-color": "10.2.2",
     "tar-fs": "3.1.2",
     "tar-stream": "3.1.8",
     "taze": "19.9.2",
@@ -821,7 +822,8 @@
       "minizlib": "3.1.0",
       "npm-package-arg": "12.0.2",
       "npm-pick-manifest": "10.0.0",
-      "picomatch": "4.0.3",
+      "p-map": "7.0.4",
+      "picomatch": "4.0.4",
       "proc-log": "6.1.0",
       "semver": "7.7.2",
       "signal-exit": "4.1.0",
@@ -829,7 +831,7 @@
       "ssri": "12.0.0",
       "string-width": "8.1.0",
       "strip-ansi": "7.1.2",
-      "supports-color": "10.0.0",
+      "supports-color": "10.2.2",
       "tar": "7.5.11",
       "which": "5.0.0",
       "wrap-ansi": "9.0.2",